LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-04-2017, 04:06 AM   #1
ilesterg
Member
 
Registered: Jul 2012
Location: München
Distribution: Debian, CentOS/RHEL
Posts: 587

Rep: Reputation: 72
GPG issues - gpg: signing failed: Permission denied


Hi,

I'm running an Archlinux and I'm having troubles running standard gpg commands as root, which I don't think I ever encountered on other distros such as Centos 6.

Code:
[root@archlinux ~]# uname -a
Linux archlinux 4.9.6-1-ARCH #1 SMP PREEMPT Thu Jan 26 09:22:26 CET 2017 x86_64 GNU/Linux
[root@archlinux ~]# pacman -Qi gnupg
Name            : gnupg
Version         : 2.1.18-1
Description     : Complete and free implementation of the OpenPGP standard
Architecture    : x86_64
URL             : http://www.gnupg.org/
Licenses        : GPL
Groups          : None
Provides        : dirmngr  gnupg2=2.1.18
Depends On      : npth  libgpg-error  libgcrypt  libksba  libassuan  pinentry  bzip2  readline  gnutls  sqlite
Optional Deps   : libldap: gpg2keys_ldap [installed]
                  libusb-compat: scdaemon [installed]
Required By     : gpgme
Optional For    : None
Conflicts With  : dirmngr  gnupg2
Replaces        : dirmngr  gnupg2
Installed Size  : 9.02 MiB
Packager        : Gaetan Bisson <bisson@archlinux.org>
Build Date      : Tuesday, 24 January, 2017 08:00:29 AM PHT
Install Date    : Friday, 27 January, 2017 09:58:17 AM PHT
Install Reason  : Installed as a dependency for another package
Install Script  : Yes
Validated By    : Signature

[root@archlinux ~]#
To be exact, I'm having trouble running a simple sign:
Code:
[root@archlinux ~]# gpg --armor --output message.signed --sign message
gpg: signing failed: Permission denied
gpg: signing failed: Permission denied
[root@archlinux ~]#
Again, this appears only when I'm logged in as root.

I believe this thing called pinentry is the one causing the Permission denied error but I can't find anything from the logs. I followed Arch's wiki and created a gpg-agent.conf file, but the error persists.

Code:
[root@archlinux ~]# cat ~/.gnupg/gpg-agent.conf 
default-cache-ttl 300
max-cache-ttl 999999

pinentry-program /usr/bin/pinentry-gtk-2
[root@archlinux ~]# ls -l ~/.gnupg
total 36
drwx------ 2 root root 4096 Dec 31 03:20 crls.d
-rw------- 1 root root   79 Feb  4 16:51 gpg-agent.conf
drwx------ 2 root root 4096 Feb  4 16:54 private-keys-v1.d
-rw-r----- 1 root root 8886 Feb  4 17:23 pubring.kbx
-rw-r----- 1 root root 2810 Feb  4 16:34 pubring.kbx~
-rw------- 1 root root  600 Feb  4 16:57 random_seed
srwx------ 1 root root    0 Feb  4 17:22 S.dirmngr
srwx------ 1 root root    0 Feb  4 17:53 S.gpg-agent
srwx------ 1 root root    0 Feb  4 17:48 S.gpg-agent.browser
srwx------ 1 root root    0 Feb  4 17:48 S.gpg-agent.extra
srwx------ 1 root root    0 Feb  4 17:48 S.gpg-agent.ssh
-rw------- 1 root root 1400 Feb  4 17:24 trustdb.gpg
[root@archlinux ~]#
Another issue I ran into awhile ago was when importing a secret key file:
Code:
[root@archlinux restricted]# gpg --allow-secret-key-import --import draxler.asc 
gpg: key xx: "D <D.x@x.x> not changed
gpg: key xx/xxx: error sending to agent: Permission denied
gpg: error building skey array: Permission denied
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
[root@archlinux restricted]#
..but I got around it by using --batch, which resulted in a locked private key and a prompt when I tested to use it.

Any ideas on all of these? I want to know what I am missing and I'm also interested on deleting gpg-agent altogether but I can't because Arch wiki says "gpg-agent is mostly used as daemon to request and cache the password for the keychain. This is useful if GnuPG is used from an external program like a mail client. " and I am using Enigmail.

Thanks.
 
Old 02-04-2017, 05:01 AM   #2
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 17,413
Blog Entries: 10

Rep: Reputation: 5227Reputation: 5227Reputation: 5227Reputation: 5227Reputation: 5227Reputation: 5227Reputation: 5227Reputation: 5227Reputation: 5227Reputation: 5227Reputation: 5227
question: why root?

but if you must:
https://wiki.archlinux.org/index.php/GnuPG#su
 
Old 02-04-2017, 05:25 AM   #3
ilesterg
Member
 
Registered: Jul 2012
Location: München
Distribution: Debian, CentOS/RHEL
Posts: 587

Original Poster
Rep: Reputation: 72
Quote:
Originally Posted by ondoho View Post
question: why root?

but if you must:
https://wiki.archlinux.org/index.php/GnuPG#su
Hmm. I have a lot of security related tasks that I don't want to normal user to see, so I'm making use of root. Is that uncommon?

Thanks for the link. However, is that the best and/or only approach? What if the gpg commnands run via a script? Can I not make use of pinentry when running as root user and just go with the usual password/passphrase prompt just like the good old days?
 
Old 02-07-2017, 08:19 AM   #4
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,233
Blog Entries: 4

Rep: Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260
Quote:
Originally Posted by ilesterg View Post
Hmm. I have a lot of security related tasks that I don't want to normal user to see, so I'm making use of root. Is that uncommon?
I would set up a non-root user with a closed home-directory that is used for these security related activities and nothing more.

Root mode is obviously dangerous because it is (in default distros) unconstrained. Point the thing at your foot, click, bang, no foot.
 
  


Reply

Tags
arch linux, gpg, gpg-agent, systemd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
new gpg encryption/signing frontend -- looking for name suggestions ryran Linux - General 13 01-27-2012 02:09 PM
GPG: Bad session key gpg between gpg on linux and gpg gui on windows XP konqi Linux - Software 1 07-21-2009 09:37 AM
Signing rpms with gpg arizonagroovejet Linux - General 5 07-20-2009 09:20 AM
Evolution and GPG signing error RebootKid Linux - Software 2 09-22-2004 11:49 PM
gpg encryption for signing keys synapse Mandriva 1 01-22-2004 10:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration